Malware is short for malicious software and is used as a term to refer to any software designed to infiltrate or damage a client device or computing system such as a computer, set-top box, or mobile device without the owner's informed consent. Malware can include computer viruses, worms, trojan horses, rootkits, adware, spyware, botnets or botnet control and command software and any other malicious or unwanted software. The vulnerability of client devices to attack by malware and other intrusion processes such as botnets (often referred to as computer “infections”) is widely acknowledged. Cautious users and system operators will protect their client devices and systems by deploying appropriate security applications including antivirus applications. Security applications will introduce firewalls to defend against intrusion, as well as various engines to detect and eliminate malware including viruses, trojans, worms, spyware etc.
A client device may comprise or represent any device used to connect to or access wired or wireless communication networks. Examples of client devices that may be used in certain embodiments of the invention are wired or wireless devices such as computers, mobile telephones, terminals, smart phones, portable computing devices such as lap tops, handheld devices, tablets, net-books, personal digital assistants and other devices that can connect and communicate over a wired or wireless communication network.
Malware may end up on a client device via various techniques such as Domain Name System server hijacking or spoofing. Although such techniques may be used for benign purposes such as advertising performed by internet service providers (ISP), others may use these techniques for malware attacks such as botnets. For example, in DNS spoofing a malicious DNS record (e.g. a malware domain name and corresponding Internet Protocol (IP) address) may be introduced into a DNS server's cache database, causing the DNS server to return the malicious IP address, diverting network traffic to a malicious attacker.
A “botnet” is a collection of infected client devices such as computers or mobile telephones, each of which is known as a “bot” or “node”, connected to a network such as the Internet. Client devices that are connected to the Internet may be vulnerable to being recruited into a botnet. Client devices can be recruited into a botnet in a number of ways, for example by a drive-by-download or Trojan-horse malware. Once a client device has been recruited, a botnet controller will be able to make a connection to the client device, and command it to perform malicious activities, for example attack other client devices, host malicious websites, upload personal data or install other malicious modules on the device.
There are a number of existing prevention measures or technologies that are typically carried out to try and detect activities on a client device that are indicative of malware attacks such as botnet attacks or behaviour. One example is a network based intrusion detection system (NIDS). A NIDS is an independent platform that identifies intrusions by examining network traffic and monitoring multiple hosts. A NIDS gains access to network traffic by connecting to a network hub, network switch configured for port mirroring, or network tap. In a NIDS, sensors are typically located at choke points in the network to be monitored. Sensors capture all network traffic and analyse the content of individual packets for malicious traffic. Most results returned from the NIDS are from network packet analysis, but because NIDSs are typically heuristic in nature, they are not always reliable. Other technologies can be employed to actively participate in ongoing network communications and protect against botnets, spy ware or other malicious attacks using malware. For example, inline intrusion detection systems (IDS) may be used to normalise network traffic passing through it. Should the IDS detect unusual network traffic such as a botnet or other malware, then it can terminate an ongoing malicious connection. For example, a malicious transmission control protocol (TCP) connection can be terminated by sending TCP reset packets to both endpoint devices. For User Datagram Protocol, IDS can decide not to send malicious packets forward, thus in effect terminating the data transmission. It is to be appreciated that malicious connections can be in any standard or proprietary communication protocol. Some ISPs use an IDS to detect botnets in their network. These IDS may detect botnet clients (recruited client devices) by analysing DNS traffic. A DNS query for a malicious botnet domain can then be used as an indication that certain internet protocol (IP) addresses in the ISP network have been infected by that botnet or other malware.
But, in reality, many client devices of an ISP actually use some form of network address translation (NAT) device (e.g. a DSL switch, Wi-Fi router, proxy or gateway server). This means that the botnet infected IP address of the client device that the ISP sees is actually the IP address of the NAT device, which cannot be used reliably to identify the client device that has been infected. This means the heavy handed protection of users' computer devices (client computers) by denying/blocking/resetting any connections to known compromised IP addresses may block more than one or a multiplicity of client devices that are actually clean or free from malware infection. An ISP cannot identify the client device(s) infected with malware or part of a botnet simply based on IP address because there are usually more than one or a multiplicity of client devices behind the NAT device that the ISP cannot identify (e.g. a home may have many wi-fi devices, laptops, mobile devices, smart phones accessing the Internet via a single Wi-Fi router or there are many client devices such as computers in a corporate network accessing the Internet via a gateway/proxy server).
In addition, client devices accessing particular domain names of interest to authorities or their ISP may use subversive communication measures e.g. encrypted communication technologies, to access the particular domain name of interest. This may require the use of brute force and expensive techniques such as cryptography experts to find evidence that the client devices are indeed accessing and communicating with the particular domain of interest. This is expensive in both technological terms, cost, and time. There is a further desire for efficiently detecting and identifying client devices accessing a particular domain.